Project

General

Profile

Support #2956

Beginner Guide Please about Windows 64-bit installer: Suricata-4.1.3-1-64bit.msi

Added by Hanif Prasetiyo 5 months ago. Updated 3 months ago.

Status:
New
Priority:
Low
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Beginner

Description

hello guys, noob question here. I try to install Windows 64-bit installer: Suricata-4.1.3-1-64bit.msi under Windows 7. Is there any guide I can follow? coz I'm kinda confused with the guide in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows and https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf. Those 2 guide doesn't tell me about installing npcap (https://nmap.org/npcap/) but the tools itself try to tell me to install npcap. After i try to install npcap and try to run suricata i've got this error:

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i 192.168.10.6
3/5/2019 -- 09:31:54 - <Info> - Running as service: no
3/5/2019 -- 09:31:56 - <Info> - translated 192.168.10.6 to pcap device \Device\NPF_{3221065E-8591-4573-8FC6-E2416A318579}
Error opening file C:\Program Files\Suricata\log\suricata.log
3/5/2019 -- 09:31:56 - <Notice> - This is Suricata version 4.1.3 RELEASE
3/5/2019 -- 09:31:56 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. S
ee ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
3/5/2019 -- 09:31:56 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\log/fast.log": Permission denied
3/5/2019 -- 09:31:56 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
3/5/2019 -- 09:31:56 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\log/eve.json": Permission denied
3/5/2019 -- 09:31:56 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
3/5/2019 -- 09:31:56 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\log/stats.log": Permission denied
3/5/2019 -- 09:31:56 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
3/5/2019 -- 09:31:56 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
3/5/2019 -- 09:31:57 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
3/5/2019 -- 09:32:01 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on \Device\NPF_{3221065E-8591-4573-8FC6-E2416A318579}: Checksum IPv4 Rx: 1 Tx: 1 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4:
1 LSOv2 IPv4: 0 IPv6: 0
3/5/2019 -- 09:32:01 - <Notice> - all 2 packet processing threads, 2 management threads initialized, engine started.

Hope somebody can help me and guide me the proper way to use suricata. Thank you...


Files

Screenshot_2.png (24.4 KB) Screenshot_2.png When i try to set suricata.exe with privileges Hanif Prasetiyo, 05/03/2019 08:14 PM
Screenshot_3.png (26.1 KB) Screenshot_3.png Hanif Prasetiyo, 05/24/2019 10:06 PM
Screenshot_4.png (24.2 KB) Screenshot_4.png Hanif Prasetiyo, 06/08/2019 06:13 AM
Screenshot_4.png (24.2 KB) Screenshot_4.png Hanif Prasetiyo, 06/08/2019 11:41 AM
Screenshot_5.png (108 KB) Screenshot_5.png Hanif Prasetiyo, 06/09/2019 08:24 AM
Screenshot_6.png (371 KB) Screenshot_6.png Hanif Prasetiyo, 06/11/2019 02:33 PM
stats.log (200 KB) stats.log Hanif Prasetiyo, 06/11/2019 08:50 PM
eve.json (351 KB) eve.json Hanif Prasetiyo, 06/11/2019 08:50 PM

History

#1

Updated by Peter Manev 5 months ago

Thank you for the report and trying out the msi/windows install.
The msi comes with start up guide that is available from the windows start menu. You would need to have npcap installed as mentioned by the install - at the end of the installation process.

From the info provided - it seems the issue is related to permission. Can you try running with privileges?

#2

Updated by Hanif Prasetiyo 5 months ago

Peter Manev wrote:

Thank you for the report and trying out the msi/windows install.
The msi comes with start up guide that is available from the windows start menu. You would need to have npcap installed as mentioned by the install - at the end of the installation process.

From the info provided - it seems the issue is related to permission. Can you try running with privileges?

Thank you Peter Manev for your replies, I try to set the privileges on suricata.exe but it appear like this(you can see in the image), I can't turn on run as administrator.

Before we go any further can I ask you something sir, should I install cygwin first before i can run suricata.exe or skip that part? because I'm getting some error when i try to execute folowing command :

./autogen.sh && ./configure --enable-luajit --enable-pie --enable-geoip --disablegccmarch-native --with-libnss-libraries=/usr/lib --with-libnssincludes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnsprincludes=/usr/include/nspr && make clean && make

and i've got this error

Found libtoolize
autoreconf-2.69: Entering directory `.'
autoreconf-2.69: configure.ac: not using Gettext
autoreconf-2.69: running: aclocal --force -I m4
autoreconf-2.69: configure.ac: tracing
autoreconf-2.69: configure.ac: adding subdirectory libhtp to autoreconf
autoreconf-2.69: Entering directory `libhtp'
autoreconf-2.69: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf-2.69: running: /usr/bin/autoconf-2.69 --force
autoreconf-2.69: running: /usr/bin/autoheader-2.69 --force
autoreconf-2.69: running: automake --add-missing --copy --force-missing
configure.ac:86: installing './compile'
configure.ac:7: installing './missing'
htp/Makefile.am: installing './depcomp'
autoreconf-2.69: Leaving directory `libhtp'
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:9: installing './compile'
configure.ac:6: installing './missing'
src/Makefile.am: installing './depcomp'
autoreconf-2.69: Leaving directory `.'
which: no cargo in (/usr/local/bin:/usr/bin:/cygdrive/c/Windows/system32:/cygdrive/c/Windows:/cygdrive/c/Windows/System32/Wbem:/cygdrive/c/Windows/System32/WindowsPowerShell/v1.0:/usr/bin:/libpkgconfig)
You can now run "./configure" and then "make".
configure: error: unrecognized option: `--disablegccmarch-native'
Try `./configure --help' for more information

it seems like doesn't same as config in page 29 in PDF https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf

#3

Updated by Peter Manev 4 months ago

You only need to run it with permissions i think. It seems the install has done the job correctly. You do not need to install Cygwin if you are using the official MSI.

#4

Updated by Hanif Prasetiyo 4 months ago

Peter Manev wrote:

You only need to run it with permissions i think. It seems the install has done the job correctly. You do not need to install Cygwin if you are using the official MSI.

Thx for your replies again sir, I try to run cmd under privileged but I still got this error(you can see in the screenshot). Can you tell me what should I do?

#5

Updated by Peter Manev 4 months ago

Can you try adding "-vvv" to your command and share the output please?

#6

Updated by Hanif Prasetiyo 4 months ago

Peter Manev wrote:

Can you try adding "-vvv" to your command and share the output please?

here the output sir,

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:/Program FIles/Suricata

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i eth6 -vvv
27/5/2019 -- 04:05:44 - <Info> - Running as service: no
27/5/2019 -- 04:05:44 - <Notice> - This is Suricata version 4.1.3 RELEASE
27/5/2019 -- 04:05:44 - <Info> - CPUs/cores online: 1
27/5/2019 -- 04:05:44 - <Config> - 'default' server has 'request-body-minimal-in
spect-size' set to 34047 and 'request-body-inspect-window' set to 4002 after ran
domization.
27/5/2019 -- 04:05:44 - <Config> - 'default' server has 'response-body-minimal-i
nspect-size' set to 39325 and 'response-body-inspect-window' set to 15621 after
randomization.
27/5/2019 -- 04:05:44 - <Config> - DNS request flood protection level: 500
27/5/2019 -- 04:05:44 - <Config> - DNS per flow memcap (state-memcap): 524288
27/5/2019 -- 04:05:44 - <Config> - DNS global memcap: 16777216
27/5/2019 -- 04:05:44 - <Config> - Protocol detection and parser disabled for mo
dbus protocol.
27/5/2019 -- 04:05:44 - <Config> - Protocol detection and parser disabled for en
ip protocol.
27/5/2019 -- 04:05:44 - <Config> - Protocol detection and parser disabled for DN
P3.
27/5/2019 -- 04:05:45 - <Config> - allocated 262144 bytes of memory for the host
 hash... 4096 buckets of size 64
27/5/2019 -- 04:05:45 - <Config> - preallocated 1000 hosts of size 104
27/5/2019 -- 04:05:45 - <Config> - host memory usage: 366144 bytes, maximum: 335
54432
27/5/2019 -- 04:05:46 - <Config> - allocated 1572864 bytes of memory for the def
rag hash... 65536 buckets of size 24
27/5/2019 -- 04:05:46 - <Config> - preallocated 65535 defrag trackers of size 12
0
27/5/2019 -- 04:05:46 - <Config> - defrag memory usage: 9437064 bytes, maximum:
33554432
27/5/2019 -- 04:05:46 - <Config> - stream "prealloc-sessions": 2048 (per thread)

27/5/2019 -- 04:05:46 - <Config> - stream "memcap": 67108864
27/5/2019 -- 04:05:46 - <Config> - stream "midstream" session pickups: disabled
27/5/2019 -- 04:05:46 - <Config> - stream "async-oneside": disabled
27/5/2019 -- 04:05:46 - <Config> - stream "checksum-validation": enabled
27/5/2019 -- 04:05:46 - <Config> - stream."inline": disabled
27/5/2019 -- 04:05:46 - <Config> - stream "bypass": disabled
27/5/2019 -- 04:05:47 - <Config> - stream "max-synack-queued": 5
27/5/2019 -- 04:05:47 - <Config> - stream.reassembly "memcap": 268435456
27/5/2019 -- 04:05:47 - <Config> - stream.reassembly "depth": 1048576
27/5/2019 -- 04:05:47 - <Config> - stream.reassembly "toserver-chunk-size": 2531

27/5/2019 -- 04:05:47 - <Config> - stream.reassembly "toclient-chunk-size": 2652

27/5/2019 -- 04:05:47 - <Config> - stream.reassembly.raw: enabled
27/5/2019 -- 04:05:47 - <Config> - stream.reassembly "segment-prealloc": 2048
27/5/2019 -- 04:05:47 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)]
- in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<even
t>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this messa
ge, set stats.decoder-events-prefix in the yaml.
27/5/2019 -- 04:05:47 - <Info> - fast output device (regular) initialized: fast.
log
27/5/2019 -- 04:05:48 - <Info> - eve-log output device (regular) initialized: ev
e.json
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'alert'
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'http'
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'dns'
27/5/2019 -- 04:05:48 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve
-log dns version not found, forcing it to version 1
27/5/2019 -- 04:05:48 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve
-log dns version not found, forcing it to version 1
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'tls'
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'files'
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'smtp'
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'ssh'
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'stats'
27/5/2019 -- 04:05:48 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] -
 eve.stats will not display all decoder events correctly. See #2225. Set a prefi
x in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.eve
nt'.
27/5/2019 -- 04:05:48 - <Config> - enabling 'eve-log' module 'flow'
27/5/2019 -- 04:05:48 - <Info> - stats output device (regular) initialized: stat
s.log
27/5/2019 -- 04:05:49 - <Config> - Delayed detect disabled
27/5/2019 -- 04:05:49 - <Config> - pattern matchers: MPM: ac, SPM: bm
27/5/2019 -- 04:05:49 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139
, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
27/5/2019 -- 04:05:49 - <Config> - grouping: udp-whitelist (default) 53, 135, 50
60
27/5/2019 -- 04:05:49 - <Config> - prefilter engines: MPM
27/5/2019 -- 04:05:49 - <Config> - IP reputation disabled
27/5/2019 -- 04:05:49 - <Config> - Loading rule file: C:\\Program Files\\Suricat
a\\rules\\emerging-dos.rules
27/5/2019 -- 04:05:50 - <Config> - Loading rule file: C:\\Program Files\\Suricat
a\\rules\\emerging-scan.rules
27/5/2019 -- 04:05:50 - <Info> - 2 rule files processed. 291 rules successfully
loaded, 0 rules failed
27/5/2019 -- 04:05:51 - <Info> - Threshold config parsed: 0 rule(s) found
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for tcp-packet
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for tcp-stream
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for udp-packet
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for other-ip
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_uri
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_request_line
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_client_body
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_response_line
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_header
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_header
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_header_names
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_header_names
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_accept
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_accept_enc
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_accept_lang
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_referer
27/5/2019 -- 04:05:51 - <Perf> - using shared mpm ctx' for http_connection
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_content_len
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_content_len
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_content_type
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_content_type
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_protocol
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_protocol
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_start
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_start
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_raw_header
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_raw_header
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_method
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_cookie
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_cookie
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_raw_uri
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_user_agent
27/5/2019 -- 04:05:52 - <Perf> - using shared mpm ctx' for http_host
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for http_raw_host
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for http_stat_msg
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for http_stat_code
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for dns_query
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for tls_sni
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for tls_cert_issuer
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for tls_cert_subject
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for tls_cert_serial
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for tls_cert_fingerprint
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for ja3_hash
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for ja3_string
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for dce_stub_data
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for dce_stub_data
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for ssh_protocol
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for ssh_protocol
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for ssh_software
27/5/2019 -- 04:05:53 - <Perf> - using shared mpm ctx' for ssh_software
27/5/2019 -- 04:05:54 - <Perf> - using shared mpm ctx' for file_data
27/5/2019 -- 04:05:54 - <Perf> - using shared mpm ctx' for file_data
27/5/2019 -- 04:05:54 - <Info> - 291 signatures processed. 0 are IP-only rules,
154 are inspecting packet payload, 155 inspect application layer, 0 are decoder
event only
27/5/2019 -- 04:05:54 - <Config> - building signature grouping structure, stage
1: preprocessing rules... complete
27/5/2019 -- 04:05:54 - <Perf> - TCP toserver: 41 port groups, 27 unique SGH's,
14 copies
27/5/2019 -- 04:05:54 - <Perf> - TCP toclient: 9 port groups, 5 unique SGH's, 4
copies
27/5/2019 -- 04:05:54 - <Perf> - UDP toserver: 32 port groups, 16 unique SGH's,
16 copies
27/5/2019 -- 04:05:54 - <Perf> - UDP toclient: 14 port groups, 8 unique SGH's, 6
 copies
27/5/2019 -- 04:05:55 - <Perf> - OTHER toserver: 2 proto groups, 1 unique SGH's,
 1 copies
27/5/2019 -- 04:05:55 - <Perf> - OTHER toclient: 2 proto groups, 0 unique SGH's,
 2 copies
27/5/2019 -- 04:05:55 - <Perf> - Unique rule groups: 57
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "toserver TCP packet": 10
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "toclient TCP packet": 4
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "toserver TCP stream": 14
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "toclient TCP stream": 3
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "toserver UDP packet": 16
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "toclient UDP packet": 8
27/5/2019 -- 04:05:55 - <Perf> - Builtin MPM "other IP packet": 1
27/5/2019 -- 04:05:55 - <Perf> - AppLayer MPM "toserver http_uri": 2
27/5/2019 -- 04:05:55 - <Perf> - AppLayer MPM "toserver http_client_body": 1
27/5/2019 -- 04:05:55 - <Perf> - AppLayer MPM "toserver http_header": 2
27/5/2019 -- 04:05:55 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
27/5/2019 -- 04:05:55 - <Perf> - AppLayer MPM "toserver http_user_agent": 2
27/5/2019 -- 04:05:55 - <Perf> - AppLayer MPM "toclient file_data": 1
27/5/2019 -- 04:05:56 - <Config> - AutoFP mode using "Hash" flow load balancer
27/5/2019 -- 04:05:56 - <Info> - Using 1 live device(s).
27/5/2019 -- 04:05:56 - <Info> - using interface eth6
#7

Updated by Peter Manev 4 months ago

It seems it is starting according to the expectations. Do you get logs generated as you are sniffing/browsing ?

#8

Updated by Hanif Prasetiyo 4 months ago

Peter Manev wrote:

It seems it is starting according to the expectations. Do you get logs generated as you are sniffing/browsing ?

sorry for late replies sir, can you tell me what kind logs? and where can I find that? I just found these log in folder C:\Program File\Suricata\log\suricata.log

25/5/2019 -- 04:57:24 - <Notice> - This is Suricata version 4.1.3 RELEASE
25/5/2019 -- 04:57:24 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
25/5/2019 -- 04:57:24 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 04:57:24 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 04:57:24 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
25/5/2019 -- 04:57:24 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
25/5/2019 -- 11:00:06 - <Notice> - This is Suricata version 4.1.3 RELEASE
25/5/2019 -- 11:00:06 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
25/5/2019 -- 11:00:06 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 11:00:06 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 11:00:06 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
25/5/2019 -- 11:00:06 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
25/5/2019 -- 12:02:39 - <Notice> - This is Suricata version 4.1.3 RELEASE
25/5/2019 -- 12:02:39 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
25/5/2019 -- 12:02:39 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 12:02:39 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 12:02:39 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
25/5/2019 -- 12:48:59 - <Notice> - This is Suricata version 4.1.3 RELEASE
25/5/2019 -- 12:48:59 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
25/5/2019 -- 12:48:59 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 12:48:59 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 12:48:59 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
25/5/2019 -- 12:55:26 - <Notice> - This is Suricata version 4.1.3 RELEASE
25/5/2019 -- 12:55:26 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
25/5/2019 -- 12:55:26 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 12:55:26 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
25/5/2019 -- 12:55:26 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
27/5/2019 -- 04:05:44 - <Notice> - This is Suricata version 4.1.3 RELEASE
27/5/2019 -- 04:05:44 - <Info> - CPUs/cores online: 1
27/5/2019 -- 04:05:47 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
27/5/2019 -- 04:05:47 - <Info> - fast output device (regular) initialized: fast.log
27/5/2019 -- 04:05:48 - <Info> - eve-log output device (regular) initialized: eve.json
27/5/2019 -- 04:05:48 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
27/5/2019 -- 04:05:48 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
27/5/2019 -- 04:05:48 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.
27/5/2019 -- 04:05:48 - <Info> - stats output device (regular) initialized: stats.log
27/5/2019 -- 04:05:50 - <Info> - 2 rule files processed. 291 rules successfully loaded, 0 rules failed
27/5/2019 -- 04:05:51 - <Info> - Threshold config parsed: 0 rule(s) found
27/5/2019 -- 04:05:54 - <Info> - 291 signatures processed. 0 are IP-only rules, 154 are inspecting packet payload, 155 inspect application layer, 0 are decoder event only
27/5/2019 -- 04:05:56 - <Info> - Using 1 live device(s).
27/5/2019 -- 04:05:56 - <Info> - using interface eth6
2/6/2019 -- 16:16:12 - <Notice> - This is Suricata version 4.1.3 RELEASE
2/6/2019 -- 16:16:13 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2/6/2019 -- 16:16:13 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
2/6/2019 -- 16:16:13 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 1
2/6/2019 -- 16:16:13 - <Warning> - [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.

#9

Updated by Peter Manev 4 months ago

Yes - they should be in " C:\Program File\Suricata\log\" - mainly eve.json.

#10

Updated by Hanif Prasetiyo 3 months ago

Peter Manev wrote:

Yes - they should be in " C:\Program File\Suricata\log\" - mainly eve.json.

thanks for your replies again sir. I try to open eve.json in " C:\Program File\Suricata\log\" and it's empty file sir, what should I do?

#11

Updated by Hanif Prasetiyo 3 months ago

Hanif Prasetiyo wrote:

Peter Manev wrote:

Yes - they should be in " C:\Program File\Suricata\log\" - mainly eve.json.

thanks for your replies again sir. I try to open eve.json in " C:\Program File\Suricata\log\" and it's empty file sir, what should I do?

umm sir, I just figured what is wrong in my suricata.yaml about an error that tells "eve-dns version not found" and adding version on output>eve-log>alerts>dns>adding "version: 2" and now the error disappears. but I still got like this

27/5/2019 -- 04:05:47 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)]
- in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<even
t>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this messa
ge, set stats.decoder-events-prefix in the yaml.

and looks for fix and just found this on website https://code.forksand.com/oisf/suricata/commit/0d86263efdae0ade81d03f841965a5285bb3e9e1
the problem now i can't find file name counter.c, decode.c, util-error.c, and util-error.h in suricata folder (windows), can you tell me how to make eve.stats: decoder event prefix configurable in windows?

#12

Updated by Hanif Prasetiyo 3 months ago

Hanif Prasetiyo wrote:

Hanif Prasetiyo wrote:

Peter Manev wrote:

Yes - they should be in " C:\Program File\Suricata\log\" - mainly eve.json.

thanks for your replies again sir. I try to open eve.json in " C:\Program File\Suricata\log\" and it's empty file sir, what should I do?

umm sir, I just figured what is wrong in my suricata.yaml about an error that tells "eve-dns version not found" and adding version on output>eve-log>alerts>dns>adding "version: 2" and now the error disappears. but I still got like this
[...]
and looks for fix and just found this on website https://code.forksand.com/oisf/suricata/commit/0d86263efdae0ade81d03f841965a5285bb3e9e1
the problem now i can't find file name counter.c, decode.c, util-error.c, and util-error.h in suricata folder (windows), can you tell me how to make eve.stats: decoder event prefix configurable in windows?

this problem is solved now, but my Suricata still cannot start sir? I think the last problem is error "<info> - Running as service: no" please help me, sir,

#13

Updated by Peter Manev 3 months ago

 [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)]

Is just a warning, that the default will change in 5.0.
From what i saw last it seems your Suricata is starting as you receive
27/5/2019 -- 04:05:56 - <Config> - AutoFP mode using "Hash" flow load balancer
27/5/2019 -- 04:05:56 - <Info> - Using 1 live device(s).
27/5/2019 -- 04:05:56 - <Info> - using interface eth6

After it starts - can you leave it for a few minutes - like 20 - (presuming you have traffic ongoing) and then - stop it (Ctrl+c), after it exits it should have the log files populated/closed etc. Then have a look in eve.json to see if it is populated? Could you also please share your stats.log file ?

#14

Updated by Hanif Prasetiyo 3 months ago

Peter Manev wrote:

[...]
Is just a warning, that the default will change in 5.0.
From what i saw last it seems your Suricata is starting as you receive
[...]

After it starts - can you leave it for a few minutes - like 20 - (presuming you have traffic ongoing) and then - stop it (Ctrl+c), after it exits it should have the log files populated/closed etc. Then have a look in eve.json to see if it is populated? Could you also please share your stats.log file ?

I try your suggestion sir, and still, there is no log in file eve.json and stats.log. I don't know what is the problem that makes my suricata can't run. when I try command "suricata.exe -c suricata.yaml -i eth6" I've always got a notice that "suricata has stopped working", is there any clue sir?

#15

Updated by Peter Manev 3 months ago

You should try closing it with "Ctrl+c" from the command line - not via closing the window.

#16

Updated by Hanif Prasetiyo 3 months ago

Peter Manev wrote:

You should try closing it with "Ctrl+c" from the command line - not via closing the window.

sure, sir, I try to close it with "CTRL+C" and still it doesn't work, because of this problem (also you can see in the screenshot)

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    suricata.exe
  Application Version:    0.0.0.0
  Application Timestamp:    5cc94cc1
  Fault Module Name:    msvcrt.dll
  Fault Module Version:    7.0.7601.23403
  Fault Module Timestamp:    56f58ae0
  Exception Code:    c0000005
  Exception Offset:    0000000000015a61
  OS Version:    6.1.7601.2.1.0.256.1
  Locale ID:    1033
  Additional Information 1:    2a54
  Additional Information 2:    2a54d3a4c441d1db77abf1618febafab
  Additional Information 3:    a131
  Additional Information 4:    a1318dd918e8f0ffb3d68bd39beb2c4c

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt
#17

Updated by Peter Manev 3 months ago

Thank you for the feedback that helps!
I cant reproduce it as I do not have Windows 7 machine. It may not be related to that at all but I cant replicate the problem. Any chance you could try a diff windows - 2016/win10 64bit etc ?

#18

Updated by Hanif Prasetiyo 3 months ago

Peter Manev wrote:

Thank you for the feedback that helps!
I cant reproduce it as I do not have Windows 7 machine. It may not be related to that at all but I cant replicate the problem. Any chance you could try a diff windows - 2016/win10 64bit etc ?

ok sir, thx for your patience helping me. I hope someday suricata can run on windows 7. I'm gonna try your suggestion sir. Thank you very much.

#19

Updated by Victor Julien 3 months ago

For the record: Windows 7 support is ending, so it's not a target we intend to support. See https://www.microsoft.com/en-us/windowsforbusiness/end-of-windows-7-support

#20

Updated by Victor Julien 3 months ago

  • Description updated (diff)
#21

Updated by Hanif Prasetiyo 3 months ago

Hanif Prasetiyo wrote:

Peter Manev wrote:

Thank you for the feedback that helps!
I cant reproduce it as I do not have Windows 7 machine. It may not be related to that at all but I cant replicate the problem. Any chance you could try a diff windows - 2016/win10 64bit etc ?

ok sir, thx for your patience helping me. I hope someday suricata can run on windows 7. I'm gonna try your suggestion sir. Thank you very much.

Peter Manev wrote:

Thank you for the feedback that helps!
I cant reproduce it as I do not have Windows 7 machine. It may not be related to that at all but I cant replicate the problem. Any chance you could try a diff windows - 2016/win10 64bit etc ?

Victor Julien wrote:

For the record: Windows 7 support is ending, so it's not a target we intend to support. See https://www.microsoft.com/en-us/windowsforbusiness/end-of-windows-7-support

well hello again sir, I try to install suricata on windows 10 2016 64 bit and the problem is same as I install suricata on windows 7 (you can see on the image), can you tell me what is the system requirement of suricata?

#22

Updated by Peter Manev 3 months ago

It may sound strange - but there is no Antivirus or something similar that hinders the operation ?

#23

Updated by Peter Manev 3 months ago

Also - do you have an network interface on your Windows called "eth0" ?
what happens if you start it like -

suricata -c suricata.yaml -vvv -i ip.ip.ip.ip

for example
suricata -c suricata.yaml -vvv -i 10.0.2.15
?

#24

Updated by Hanif Prasetiyo 3 months ago

Peter Manev wrote:

Also - do you have an network interface on your Windows called "eth0" ?
what happens if you start it like -
[...]
for example
suricata -c suricata.yaml -vvv -i 10.0.2.15
?

thx for your replies sir, I try as you suggest it seems work but I don't know it's work fine or no because i'm getting some error code when trying to run it

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Program Files\Suricata

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i 10.0.2.15 -vvv
11/6/2019 -- 13:32:56 - <Info> - Running as service: no
11/6/2019 -- 13:32:56 - <Info> - translated 10.0.2.15 to pcap device \Device\NPF_{16A8E7C7-29BE-4F91-8834-9C018CA5CC3E}
11/6/2019 -- 13:32:56 - <Notice> - This is Suricata version 4.1.4 RELEASE
11/6/2019 -- 13:32:56 - <Info> - CPUs/cores online: 1
11/6/2019 -- 13:32:56 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34359 and 'request-body-inspect-window' set to 4295 after randomization.
11/6/2019 -- 13:32:57 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 40587 and 'response-body-inspect-window' set to 15640 after randomization.
11/6/2019 -- 13:32:57 - <Config> - DNS request flood protection level: 500
11/6/2019 -- 13:32:57 - <Config> - DNS per flow memcap (state-memcap): 524288
11/6/2019 -- 13:32:57 - <Config> - DNS global memcap: 16777216
11/6/2019 -- 13:32:57 - <Config> - Protocol detection and parser disabled for modbus protocol.
11/6/2019 -- 13:32:57 - <Config> - Protocol detection and parser disabled for enip protocol.
11/6/2019 -- 13:32:57 - <Config> - Protocol detection and parser disabled for DNP3.
11/6/2019 -- 13:32:57 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
11/6/2019 -- 13:32:57 - <Config> - preallocated 1000 hosts of size 104
11/6/2019 -- 13:32:57 - <Config> - host memory usage: 366144 bytes, maximum: 33554432
11/6/2019 -- 13:32:57 - <Info> - Shortening device name to: \Devi..C3E}
11/6/2019 -- 13:32:57 - <Config> - allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
11/6/2019 -- 13:32:57 - <Config> - preallocated 65535 defrag trackers of size 120
11/6/2019 -- 13:32:57 - <Config> - defrag memory usage: 9437064 bytes, maximum: 33554432
11/6/2019 -- 13:32:57 - <Config> - stream "prealloc-sessions": 2048 (per thread)
11/6/2019 -- 13:32:57 - <Config> - stream "memcap": 67108864
11/6/2019 -- 13:32:57 - <Config> - stream "midstream" session pickups: disabled
11/6/2019 -- 13:32:57 - <Config> - stream "async-oneside": disabled
11/6/2019 -- 13:32:57 - <Config> - stream "checksum-validation": enabled
11/6/2019 -- 13:32:57 - <Config> - stream."inline": disabled
11/6/2019 -- 13:32:57 - <Config> - stream "bypass": disabled
11/6/2019 -- 13:32:57 - <Config> - stream "max-synack-queued": 5
11/6/2019 -- 13:32:57 - <Config> - stream.reassembly "memcap": 268435456
11/6/2019 -- 13:32:57 - <Config> - stream.reassembly "depth": 1048576
11/6/2019 -- 13:32:57 - <Config> - stream.reassembly "toserver-chunk-size": 2469
11/6/2019 -- 13:32:57 - <Config> - stream.reassembly "toclient-chunk-size": 2466
11/6/2019 -- 13:32:57 - <Config> - stream.reassembly.raw: enabled
11/6/2019 -- 13:32:57 - <Config> - stream.reassembly "segment-prealloc": 2048
11/6/2019 -- 13:32:57 - <Info> - fast output device (regular) initialized: fast.log
11/6/2019 -- 13:32:57 - <Info> - eve-log output device (regular) initialized: eve.json
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'alert'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'http'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'dns'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'tls'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'files'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'smtp'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'dhcp'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'ssh'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'stats'
11/6/2019 -- 13:32:57 - <Config> - enabling 'eve-log' module 'flow'
11/6/2019 -- 13:32:57 - <Info> - stats output device (regular) initialized: stats.log
11/6/2019 -- 13:32:57 - <Config> - Delayed detect disabled
11/6/2019 -- 13:32:57 - <Config> - pattern matchers: MPM: ac, SPM: bm
11/6/2019 -- 13:32:57 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
11/6/2019 -- 13:32:57 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
11/6/2019 -- 13:32:57 - <Config> - prefilter engines: MPM
11/6/2019 -- 13:32:57 - <Config> - IP reputation disabled
11/6/2019 -- 13:32:57 - <Config> - Loading rule file: C:\\Program Files\\Suricata\\rules\\emerging-dos.rules
11/6/2019 -- 13:32:57 - <Config> - Loading rule file: C:\\Program Files\\Suricata\\rules\\emerging-scan.rules
11/6/2019 -- 13:32:57 - <Info> - 2 rule files processed. 291 rules successfully loaded, 0 rules failed
11/6/2019 -- 13:32:57 - <Info> - Threshold config parsed: 0 rule(s) found
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tcp-packet
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tcp-stream
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for udp-packet
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for other-ip
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_uri
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_request_line
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_client_body
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_response_line
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_header
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_header
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_header_names
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_header_names
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_accept
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_accept_enc
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_accept_lang
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_referer
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_connection
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_content_len
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_content_len
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_content_type
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_content_type
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_protocol
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_protocol
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_start
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_start
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_raw_header
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_raw_header
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_method
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_cookie
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_cookie
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_raw_uri
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_user_agent
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_host
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_raw_host
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_stat_msg
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for http_stat_code
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for dns_query
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tls_sni
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tls_cert_issuer
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tls_cert_subject
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tls_cert_serial
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for tls_cert_fingerprint
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for ja3_hash
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for ja3_string
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for dce_stub_data
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for dce_stub_data
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for ssh_protocol
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for ssh_protocol
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for ssh_software
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for ssh_software
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for file_data
11/6/2019 -- 13:32:57 - <Perf> - using shared mpm ctx' for file_data
11/6/2019 -- 13:32:57 - <Info> - 291 signatures processed. 0 are IP-only rules, 154 are inspecting packet payload, 155 inspect application layer, 0 are decoder event only
11/6/2019 -- 13:32:57 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
11/6/2019 -- 13:32:57 - <Perf> - TCP toserver: 41 port groups, 27 unique SGH's, 14 copies
11/6/2019 -- 13:32:57 - <Perf> - TCP toclient: 9 port groups, 5 unique SGH's, 4 copies
11/6/2019 -- 13:32:57 - <Perf> - UDP toserver: 32 port groups, 16 unique SGH's, 16 copies
11/6/2019 -- 13:32:57 - <Perf> - UDP toclient: 14 port groups, 8 unique SGH's, 6 copies
11/6/2019 -- 13:32:57 - <Perf> - OTHER toserver: 2 proto groups, 1 unique SGH's, 1 copies
11/6/2019 -- 13:32:57 - <Perf> - OTHER toclient: 2 proto groups, 0 unique SGH's, 2 copies
11/6/2019 -- 13:32:57 - <Perf> - Unique rule groups: 57
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "toserver TCP packet": 10
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "toclient TCP packet": 4
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "toserver TCP stream": 14
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "toclient TCP stream": 3
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "toserver UDP packet": 16
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "toclient UDP packet": 8
11/6/2019 -- 13:32:57 - <Perf> - Builtin MPM "other IP packet": 1
11/6/2019 -- 13:32:57 - <Perf> - AppLayer MPM "toserver http_uri": 2
11/6/2019 -- 13:32:57 - <Perf> - AppLayer MPM "toserver http_client_body": 1
11/6/2019 -- 13:32:57 - <Perf> - AppLayer MPM "toserver http_header": 2
11/6/2019 -- 13:32:57 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
11/6/2019 -- 13:32:57 - <Perf> - AppLayer MPM "toserver http_user_agent": 2
11/6/2019 -- 13:32:57 - <Perf> - AppLayer MPM "toclient file_data": 1
11/6/2019 -- 13:32:57 - <Config> - AutoFP mode using "Hash" flow load balancer
11/6/2019 -- 13:32:57 - <Info> - Using 1 live device(s).
11/6/2019 -- 13:32:57 - <Info> - using interface \Device\NPF_{16A8E7C7-29BE-4F91-8834-9C018CA5CC3E}
11/6/2019 -- 13:32:58 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
11/6/2019 -- 13:32:58 - <Info> - Found an MTU of 1500 for '\Device\NPF_{16A8E7C7-29BE-4F91-8834-9C018CA5CC3E}'
11/6/2019 -- 13:32:58 - <Info> - Set snaplen to 1524 for '\Device\NPF_{16A8E7C7-29BE-4F91-8834-9C018CA5CC3E}'
11/6/2019 -- 13:32:58 - <Perf> - NIC offloading on \Device\NPF_{16A8E7C7-29BE-4F91-8834-9C018CA5CC3E}: Checksum IPv4 Rx: 0 Tx: 0 IPv6 Rx: 0 Tx: 0 LSOv1 IPv4: 0 LSOv2 IPv4: 0 IPv6: 0
11/6/2019 -- 13:32:58 - <Info> - RunModeIdsPcapAutoFp initialised
11/6/2019 -- 13:32:58 - <Config> - using 1 flow manager threads
11/6/2019 -- 13:32:58 - <Config> - using 1 flow recycler threads
11/6/2019 -- 13:32:58 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
11/6/2019 -- 13:35:54 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 read error: PacketReceivePacket failed
11/6/2019 -- 13:43:26 - <Notice> - Signal Received.  Stopping engine.
11/6/2019 -- 13:43:26 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
11/6/2019 -- 13:43:27 - <Info> - time elapsed 629.245s
11/6/2019 -- 13:43:27 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "FR#01".  Killing engine

and there is a log on eve.json and stats.log. Can you tell me is there something wrong?

#25

Updated by Peter Manev 3 months ago

You are getting than when you try to stop the engine - which in certain cases for example when there is no traffic can result in forcing it to disable threads on shutdown.
If that is the case (no continuous traffic on the interface) - the it would be "normal".

Also available in: Atom PDF